bpf: add new prog type for cgroup socket filtering

author Daniel Mack <daniel@zonque.org>

Wed, 23 Nov 2016 15:52:25 +0000 (16:52 +0100)

committer David S. Miller <davem@davemloft.net>

Fri, 25 Nov 2016 21:25:52 +0000 (16:25 -0500)
author Daniel Mack <daniel@zonque.org>
Wed, 23 Nov 2016 15:52:25 +0000 (16:52 +0100)
committer David S. Miller <davem@davemloft.net>
Fri, 25 Nov 2016 21:25:52 +0000 (16:25 -0500)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h

index 7d9b2832c280c82172cb428a8e6d793359891db0..5ae679fac99306ec853e2a492407c377831f0c0f 100644 (file)
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -98,8 +98,17 @@ enum bpf_prog_type {
         BPF_PROG_TYPE_TRACEPOINT,
         BPF_PROG_TYPE_XDP,
         BPF_PROG_TYPE_PERF_EVENT,
+       BPF_PROG_TYPE_CGROUP_SKB,
  };
  
+enum bpf_attach_type {
+       BPF_CGROUP_INET_INGRESS,
+       BPF_CGROUP_INET_EGRESS,
+       __MAX_BPF_ATTACH_TYPE
+};
+
+#define MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
+
  #define BPF_PSEUDO_MAP_FD      1
  
  /* flags for BPF_MAP_UPDATE_ELEM command */
diff --git a/net/core/filter.c b/net/core/filter.c

index dece94fef0050731e81fc141d4da16b82449ecf3..2de302d6803851c58c1b710146a73bf9de021e23 100644 (file)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2630,6 +2630,17 @@ xdp_func_proto(enum bpf_func_id func_id)
         }
  }
  
+static const struct bpf_func_proto *
+cg_skb_func_proto(enum bpf_func_id func_id)
+{
+       switch (func_id) {
+       case BPF_FUNC_skb_load_bytes:
+               return &bpf_skb_load_bytes_proto;
+       default:
+               return sk_filter_func_proto(func_id);
+       }
+}
+
  static bool __is_valid_access(int off, int size, enum bpf_access_type type)
  {
         if (off < 0 || off >= sizeof(struct __sk_buff))
@@ -2992,6 +3003,12 @@ static const struct bpf_verifier_ops xdp_ops = {
         .convert_ctx_access     = xdp_convert_ctx_access,
  };
  
+static const struct bpf_verifier_ops cg_skb_ops = {
+       .get_func_proto         = cg_skb_func_proto,
+       .is_valid_access        = sk_filter_is_valid_access,
+       .convert_ctx_access     = sk_filter_convert_ctx_access,
+};
+
  static struct bpf_prog_type_list sk_filter_type __read_mostly = {
         .ops    = &sk_filter_ops,
         .type   = BPF_PROG_TYPE_SOCKET_FILTER,
@@ -3012,12 +3029,18 @@ static struct bpf_prog_type_list xdp_type __read_mostly = {
         .type   = BPF_PROG_TYPE_XDP,
  };
  
+static struct bpf_prog_type_list cg_skb_type __read_mostly = {
+       .ops    = &cg_skb_ops,
+       .type   = BPF_PROG_TYPE_CGROUP_SKB,
+};
+
  static int __init register_sk_filter_ops(void)
  {
         bpf_register_prog_type(&sk_filter_type);
         bpf_register_prog_type(&sched_cls_type);
         bpf_register_prog_type(&sched_act_type);
         bpf_register_prog_type(&xdp_type);
+       bpf_register_prog_type(&cg_skb_type);
  
         return 0;
  }
author	Daniel Mack <daniel@zonque.org>
	Wed, 23 Nov 2016 15:52:25 +0000 (16:52 +0100)
committer	David S. Miller <davem@davemloft.net>
	Fri, 25 Nov 2016 21:25:52 +0000 (16:25 -0500)
include/uapi/linux/bpf.h		patch \| blob \| blame \| history
net/core/filter.c		patch \| blob \| blame \| history